Event Tracing for Windows

The functional interface that supports Event Tracing for Windows (ETW) in user
mode began in ADVAPI32.DLL. The exported functions are all documented. They were
all introduced for version 5.0, i.e., for Windows 2000, unless otherwise noted.

CloseTrace

ControlTrace

EnableTrace

EnableTraceEx (6.0)

EnumerateTraceGuids (5.1)

EnumerateTraceGuidsEx (6.0)

EventAccessControl (6.0)

EventAccessQuery (6.0)

EventAccessRemove (6.0)

FlushTrace (5.1)

OpenTrace

ProcessTrace

QueryAllTraces

QueryTrace (5.1)

RemoveTraceCallback

SetTraceCallback

StartTrace

StopTrace (5.1)

UpdateTrace (5.1)

Microsoft’s documentation would have it that QueryTrace,
StopTrace and UpdateTrace
are originals. They are not. They are, however, supported as macros if the symbol
__TRACE_W2K_COMPATIBLE is defined before including EVNTRACE.H.

ADVAPI32 also exports the following ETW functions as forwards to NTDLL. Some
of these functions have implementions in ADVAPI32 in early versions. Some have never
existed except as forwards to NTDLL. The target functions in NTDLL are not documented—few
NTDLL functions are—but the highlighted functions are not documented even as exports
from ADVAPI32.

Some of the functions that are nowadays implemented in ADVAPI32 are forwarded
to NTDLL in version 5.2 only. This is here treated as anomalous. The functionality
was moved to NTDLL and then was restored to ADVAPI32: the target functions do not
exist in NTDLL version 6.0.